Harness cutting-edge technology and the Secureworks Counter Threat Unit™ (CTU™) Research Team to analyze and prioritize global and targeted threats to assist you so you in proactively preventing security attacks.

Summary

Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390). Analysis of TG-3390's operations, targeting, and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China. The threat actors target a wide range of organizations: CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects, but also targeting other industry verticals and attacking organizations involved in international relations. The group extensively uses long-running strategic web compromises[2] (SWCs), and relies on whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.

CTU researchers divided the threat intelligence about TG-3390 into two sections: strategic and tactical. Strategic threat intelligence includes an assessment of the ongoing threat posed by the threat group. Executives can use this assessment to determine how to reduce risk to their organization's mission and critical assets. Tactical threat intelligence is based on incident response investigations and research, and is mapped to the kill chain. Computer network defenders can use this information to reduce the time and effort associated with responding to TG-3390.

Key points

Explanations of how CTU researchers identify attribution and gauge confidence levels are available in the Appendix A.

CTU researchers assess with moderate confidence that TG-3390 is based in the People's Republic of China.

CTU researchers have evidence that the threat group compromised U.S. and UK organizations in the following verticals: manufacturing (specifically aerospace (including defense contractors), automotive, technology, energy, and pharmaceuticals), education, and legal, as well as organizations focused on international relations. Based on analysis of the group's SWCs, TG-3390 operations likely affect organizations in other countries and verticals.

TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication. Through an IP address whitelisting process, the threat group selectively targets visitors to these websites.

After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to its victims. The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment.

The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal.

CTU researchers recommend the following practices to prevent or detect TG-3390 intrusions:

Search web log files for evidence of web server scanning using the URIs listed in the Exploitation section and evidence of exfiltration using the User-Agent in the Actions on objective section.

Require two-factor authentication for all remote access solutions, including OWA.

Strategic threat intelligence

CTU researchers assess the threat posed by a threat group by reviewing intent and capability (see Figure 1). Threat groups pose varying threats to different organizations, and even a very capable group may pose a low threat if it does not have the intent to target a particular organization.

Figure 1. Threat is based on a threat group's intent and capability. (Source: Dell SecureWorks)

Intent

CTU researchers infer intent by aggregating observations, analyzing a threat group's activity, and placing the information in a wider context.

Like many threat groups, TG-3390 conducts strategic web compromises (SWCs), also known as watering hole attacks, on websites associated with the target organization's vertical or demographic to increase the likelihood of finding victims with relevant information. CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control. Most websites compromised by TG-3390 actors are affiliated with five types of organizations around the world:

embassies in Washington, DC representing countries in the Middle East, Europe, and Asia, likely to target U.S.-based users involved in international relations

non-governmental organizations (NGOs), particularly those focused on international relations and defense

government organizations

Based on this information, CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence, other industrial intelligence, and political intelligence from governments and NGOs.

Attribution

To assess attribution, CTU researchers analyze observed activity, third-party reporting, and contextual intelligence. For the following reasons, CTU researchers assess with moderate confidence that TG-3390 has a Chinese nexus:

The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group, a Muslim minority group primarily found in the Xinjiang region of China. Threat groups outside of China are unlikely to target the Uyghur people.

TG-3390 uses the PlugX remote access tool. The menus for PlugX's server-side component are written exclusively in Standard Chinese (Mandarin), suggesting that PlugX operators are familiar with this language.

CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC, which is 12:00 to 17:00 local time in China (UTC +8). The timeframe maps to the second half of the workday in China.

The threat actors have used the Baidu search engine, which is only available in Chinese, to conduct reconnaissance activities.

CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base, an interest in U.S. military capability, or both.

CTU researchers recognize that the evidence supporting this attribution is circumstantial. It is possible that TG-3390 is false-flag operation by a threat group outside of China that is deliberately planting indications of a Chinese origin.

Capability

TG-3390 has access to proprietary tools, some of which are used exclusively by TG-3390 and others that are shared among a few Chinese threat groups. The complexity and continual development of these tools indicates a mature development process. TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments. This ability is further demonstrated by analysis of interactions between TG-3390 operators and a target environment. CTU researchers found no evidence of multiple operators working simultaneously against a single organization. This efficiency of operation (a 1:1 ratio of operator to observed activity) suggests that TG-3390 can scale to conduct the maximum number of simultaneous operations. These characteristics suggest that the threat group is well resourced and has access to a tools development team and a team focused on SWCs.

Technical proficiency

TG-3390's obfuscation techniques in SWCs complicate detection of malicious web traffic redirects. Malware used by the threat group can be configured to bypass network-based detection; however, the threat actors rarely modify host-based configuration settings when deploying payloads. CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers, which requires a technical grasp of Internet Information Services (IIS). TG-3390 uses older exploits to compromise targets, and CTU researchers have not observed the threat actors using zero-day exploits as of this publication. The threat actors demonstrated the ability to adapt when reentering a network after an eviction, overcoming technical barriers constructed by network defenders.

Tradecraft

In addition to using SWCs to target specific types of organizations, TG-3390 uses spearphishing emails to target specific victims. CTU researchers assess with high confidence that the threat actors follow an established playbook during an intrusion. They quickly move away from their initial access vector to hide their entry point and then target Exchange servers as a new access vector. As of this publication, CTU researchers have not discovered how TG-3390 keeps track of the details associated with its compromised assets and credentials. However, the threat actors' ability to reuse these assets and credentials, sometimes weeks or months after the initial compromise, indicates the group is disciplined and well organized. After gaining access to a target network in one intrusion analyzed by CTU researchers, TG-3390 actors identified and exfiltrated data for specific projects run by the target organization, indicating that they successfully obtained the information they sought. Data exfiltration occurred almost four weeks after the initial compromise and continued for two weeks (see Figure 2).

Figure 2. Data exfiltration timeline. (Source: Dell SecureWorks)

Note: The adversary's end goal is to exfiltrate, not infiltrate. Organizations often miss multiple opportunities to detect and disrupt the threat actors before they can achieve their objective. Alerts for credential theft tools and privileged account lockouts should be investigated.

Tactical threat intelligence

Known tools

CTU researchers have observed TG-3390 actors using tools that are favored by multiple threat groups:

PlugX — A remote access tool notable for communications that may contain HTTP headers starting with "X-" (e.g., "X-Session: 0"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system.

HttpBrowser (also known as TokenControl) — A backdoor notable for HTTPS communications with the HttpBrowser/1.0 User-Agent (see Figure 3). HttpBrowser's executable code may be obfuscated through structured exception handling and return-oriented programming. Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B.

OwaAuth web shell — A web shell and credential stealer deployed to Microsoft Exchange servers. It is installed as an ISAPI filter. Captured credentials are DES-encrypted using the password "12345678" and are written to the log.txt file in the root directory. Like the ChinaChopper web shell, the OwaAuth web shell requires a password. However, the OwaAuth web shell password contains the victim organization's name. More information about the OwaAuth web shell is available in Appendix C.

Tactics, techniques, and procedures

Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions.

Reconnaissance

CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations. As discussed in the Actions on objectives section, the threat actors appear to wait until they have established a foothold.

Development

TG-3390 actors use command and control (C2) domains for extended periods of time but frequently change the domains' IP addresses. The new IP addresses are typically on the same subnet as the previous ones.

TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars. The most common registrar used by the adversary is HiChina Zhicheng Technology Ltd. The threat actors have a demonstrated ability to move from one network provider to another, using some infrastructure for extended periods of time and other domains for only a few days. Seemingly random activity patterns in infrastructure deployment and usage, along with the ability to use a wide variety of geographically diverse infrastructure, help the threat actors avoid detection.

TG-3390 SWCs may be largely geographically independent, but the group's most frequently used C2 registrars and IP net blocks are located in the U.S. Using a U.S.-based C2 infrastructure (see Figure 7) to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense.

The threat actors create PlugX DLL stub loaders that will run only after a specific date. The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8, 2013 date, indicating that the code might be reused from previous tools.

The OwaAuth web shell is likely created with a builder, given that the PE compile time of the binary does not change between instances and the configuration fields are padded to a specific size. The adversaries modify publicly available tools such as ASPXSpy to remove identifying characteristics that network defenders use to identify web shells.

Weaponization

As of this publication, CTU researchers are unsure if TG-3390 relies on weaponizers to package tools and exploits.

Delivery

TG-3390 conducts SWCs or sends spearphishing emails with ZIP archive attachments. The ZIP archives have names relevant to the targets and contain both legitimate files and malware. One archive sample analyzed by CTU researchers contained a legitimate PDF file, a benign image of interest to targets (see Figure 8), and an HttpBrowser installer disguised as an image file.

Figure 8. Decoy image. (Source: Dell SecureWorks)

In SWCs analyzed by CTU researchers, the threat actors added the Dean Edwards packed JavaScript code shown in Figure 9 to the end of a legitimate website's menu page.

Figure 9. SWC code. (Source: Dell SecureWorks)

As shown in Figure 10, the unpacked JavaScript code reveals an iframe pointing to an IP address that is hosting the exploit.

Figure 10. Unpacked JavaScript code. (Source: Dell SecureWorks)

Both the redirect code on the compromised site and the exploit code appear and disappear, indicating that the adversaries add the code when they want to leverage the SWC and remove the code when it is not in use to limit the visibility of their operations. The threat actors have evolved to whitelisting IP addresses and only delivering the exploit and payload to specific targets of interest. CTU researchers have observed TG-3390 compromising a target organization's externally and internally accessible assets, such as an OWA server, and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware.

Exploitation

TG-3390 actors have used Java exploits in their SWCs. In particular, the threat actors have exploited CVE-2011-3544, a vulnerability in the Java Runtime Environment, to deliver the HttpBrowser backdoor; and CVE-2010-0738, a vulnerability in JBoss, to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code.

In activity analyzed by CTU researchers, TG-3390 executed the Hunter web application scanning tool against a target server running IIS. Hunter queried the following URIs in a specific order to determine if the associated software configurations are insecure, and all queries contained the HttpClient User-Agent:

GET /manager/html/ — Tomcat web application manager

GET /jmx-console/ — JBoss configuration

GET /CFIDE/administrator/login.cfm — ColdFusion configuration

Installation

TG-3390 uses DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. CTU researchers have observed the threat actors employing legitimate Kaspersky antivirus variants in analyzed samples. The DLL acts as a stub loader, which loads and executes the shell code. The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system.

Note: DLL side loading is a prevalent persistence technique that is used to launch a multitude of backdoors. The challenge is detecting known good software loading and running malware. As security controls have improved, DLL side loading has evolved to load a payload stored in a different directory or from a registry value.

In other cases, threat actors placed web shells on externally accessible servers, sometimes behind a reverse proxy, to execute commands on the compromised system. TG-3390 actors have deployed the OwaAuth web shell to Exchange servers, disguising it as an ISAPI filter. The IIS w3wp.exe process loads the malicious DLL, which CTU researchers have observed in the Program Files\Microsoft\Exchange Server\ClientAccess\Owa\Bin directory.

Command and control

To traverse the firewall, C2 traffic for most TG-3390 tools occurs over ports 53, 80, and 443. The PlugX malware can be configured to use HTTP, DNS, raw TCP, or UDP to avoid network-based detection. In one sample analyzed by CTU researchers, PlugX was configured with hard-coded user credentials to bypass a proxy that required authentication. Newer HttpBrowser versions use SSL with self-signed certificates to encrypt network communications.

TG-3390 actors frequently change the C2 domain's A record to point to the loopback IP address 127.0.0.1, which is a variation of a technique known as "parking." Other variations of parking point the IP address to Google's recursive name server 8.8.8.8, an address belonging to Confluence, or to other non-routable addresses. When the adversaries' operations are live, they modify the record again to point the C2 domain to an IP address they can access. A domain name parking example is available in Appendix D.

Actions on objective

CTU researchers have discovered numerous details about TG-3390 operations, including how the adversaries explore a network, move laterally, and exfiltrate data. As shown in Figure 11, after compromising an initial victim's system (patient 0), the threat actors use the Baidu search engine to search for the victim's organization name. They then identify the Exchange server and attempt to install the OwaAuth web shell. If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells. Within six hours of entering the environment, the threat actors compromised multiple systems and stole credentials for the entire domain.

Over a few days' span, the threat actors install remote access tools on additional systems based upon the results of the network reconnaissance. They use At.exe to schedule tasks to run self-extracting RAR archives, which install either HttpBrowser or PlugX. CTU researchers observed the threat actors collecting Cisco VPN profiles to use when accessing the victim's network via VPN (see Figure 13).

CTU researchers have observed the threat actors encrypting data using the password "admin-windows2014" and splitting the RAR archives into parts in the recycler directory, with the same name as the uncompressed data (see Figure 14).

The number at the end of the password corresponds to the year of the intrusion. For example, the password "admin-windows2014" shown in Figure 14 was changed to "admin-windows2015" for TG-3390 intrusions conducted in 2015.

In other intrusions, data was exfiltrated using the PlugX remote access tool. Figure 17 shows network data transfer sizes for a month-long period beginning with TG-3390's re-entry into a network. Approximately 300 GB of data was exfiltrated during that span.

CTU observations

Figure 18 is a UTC time wheel depicting which hours the threat actors actively operated in one target environment during a three-day intrusion observed by CTU researchers. The concentric bands represent the days of the week, with Saturday as the outside band and Sunday as the innermost band, and each cell represents an hour. The darker the cell color, the higher the activity level; white indicates no observed activity. TG-3390 was most active between 04:00 and 09:00 UTC.

Figure 18. Mapping of TG-3390's interactions with web shells during an intrusion responded to by CTU researchers. The legend across the bottom of the figure lists the upper bound of interactions that are represented by each color variation on the wheel. Times are based on UTC. (Source: Dell SecureWorks)

Response to eviction

Successfully evicting TG-3390 from an environment requires a coordinated plan to remove all access points, including remote access tools and web shells. Within weeks of eviction, the threat actors attempt to access their ChinaChopper web shells from previously used IP addresses. Finding the web shells inaccessible, the adversaries search google.co.jp for remote access solutions. CTU researchers discovered the threat actors searching for "[company] login," which directed them to the landing page for remote access. TG-3390 attempts to reenter the environment by identifying accounts that do not require two-factor authentication for remote access solutions, and then brute forcing usernames and passwords. After reestablishing access, the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used. CTU researchers believe legitimate websites are used to host tools because web proxies categorize the sites as benign.

Note: Numerous threat groups use legitimate remote access solutions (VPN, Citrix, OWA, etc.) to enter or reenter a network. After executing an eviction plan, it is paramount to reset all credentials, including those for third-party accounts, preferably after implementing two-factor authentication.

TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations, preferring to issue commands via an internally accessible web shell rather than HttpBrowser or PlugX. After reentering an environment, the threat actors focus on obtaining the active directory contents. Figure 19 shows a timeline of TG-3390 attempting to regain a foothold in a network in a span of only five hours.

Figure 19. Timeline, in Eastern Time, of TG-3390's reentry into a compromised network. (Source: Dell SecureWorks)

Note: Relying primarily on network-based security controls will not deter most threat groups from achieving their objective. Adversaries can overcome blacklisted infrastructure in minutes, as TG-3390 actors did when they staged tools on compromised web servers.

CTU researchers have no evidence to determine if these tools are also used by TG-3390.

Conclusion

TG-3390 is known for compromising organizations via SWCs and moving quickly to install backdoors on Exchange servers. Despite the group's proficiency, there are still many opportunities to detect and disrupt its operation by studying its modus operandi. The threat actors work to overcome existing security controls, or those put in place during an engagement, to complete their mission of exfiltrating intellectual property. Due to TG-3390's determination, organizations should formulate a solid eviction plan before engaging with the threat actors to prevent them from reentering the network.

Threat indicators

The indicators in Table 1 are associated with TG-3390 activity. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Indicator

Type

Context

american.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

api.apigmail.com

Domain name

TG-3390 infrastructure
Confidence: High

apigmail.com

Domain name

TG-3390 infrastructure
Confidence: High

backup.darkhero.org

Domain name

TG-3390 infrastructure
Confidence: High

bel.updatawindows.com

Domain name

TG-3390 infrastructure
Confidence: High

binary.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

castle.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

ctcb.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

darkhero.org

Domain name

TG-3390 infrastructure
Confidence: High

dav.local-test.com

Domain name

TG-3390 infrastructure
Confidence: High

test.local-test.com

Domain name

TG-3390 infrastructure
Confidence: High

dev.local-test.com

Domain name

TG-3390 infrastructure
Confidence: High

ocean.local-test.com

Domain name

TG-3390 infrastructure
Confidence: High

ga.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

helpdesk.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

helpdesk.csc-na.com

Domain name

TG-3390 infrastructure
Confidence: High

helpdesk.hotmail-onlines.com

Domain name

TG-3390 infrastructure
Confidence: High

helpdesk.lnip.org

Domain name

TG-3390 infrastructure
Confidence: High

hotmail-onlines.com

Domain name

TG-3390 infrastructure
Confidence: High

jobs.hotmail-onlines.com

Domain name

TG-3390 infrastructure
Confidence: High

justufogame.com

Domain name

TG-3390 infrastructure
Confidence: High

lnip.org

Domain name

TG-3390 infrastructure
Confidence: High

local-test.com

Domain name

TG-3390 infrastructure
Confidence: High

login.hansoftupdate.com

Domain name

TG-3390 infrastructure
Confidence: High

long.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

longlong.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

longshadow.dyndns.org

Domain name

TG-3390 infrastructure
Confidence: High

longshadow.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

longykcai.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

lostself.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

mac.navydocument.com

Domain name

TG-3390 infrastructure
Confidence: High

mail.csc-na.com

Domain name

TG-3390 infrastructure
Confidence: High

mantech.updatawindows.com

Domain name

TG-3390 infrastructure
Confidence: High

micr0soft.org

Domain name

TG-3390 infrastructure
Confidence: High

microsoft-outlook.org

Domain name

TG-3390 infrastructure
Confidence: High

mtc.navydocument.com

Domain name

TG-3390 infrastructure
Confidence: High

navydocument.com

Domain name

TG-3390 infrastructure
Confidence: High

mtc.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

news.hotmail-onlines.com

Domain name

TG-3390 infrastructure
Confidence: High

oac.3322.org

Domain name

TG-3390 infrastructure
Confidence: High

ocean.apigmail.com

Domain name

TG-3390 infrastructure
Confidence: High

pchomeserver.com

Domain name

TG-3390 infrastructure
Confidence: High

registre.organiccrap.com

Domain name

TG-3390 infrastructure
Confidence: High

security.pomsys.org

Domain name

TG-3390 infrastructure
Confidence: High

services.darkhero.org

Domain name

TG-3390 infrastructure
Confidence: High

sgl.updatawindows.com

Domain name

TG-3390 infrastructure
Confidence: High

shadow.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

sonoco.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

test.logmastre.com

Domain name

TG-3390 infrastructure
Confidence: High

up.gtalklite.com

Domain name

TG-3390 infrastructure
Confidence: High

updatawindows.com

Domain name

TG-3390 infrastructure
Confidence: High

update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

update.deepsoftupdate.com

Domain name

TG-3390 infrastructure
Confidence: High

update.hancominc.com

Domain name

TG-3390 infrastructure
Confidence: High

update.micr0soft.org

Domain name

TG-3390 infrastructure
Confidence: High

update.pchomeserver.com

Domain name

TG-3390 infrastructure
Confidence: High

urs.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

wang.darkhero.org

Domain name

TG-3390 infrastructure
Confidence: High

webs.local-test.com

Domain name

TG-3390 infrastructure
Confidence: High

word.apigmail.com

Domain name

TG-3390 infrastructure
Confidence: High

wordpress.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

working.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

working.darkhero.org

Domain name

TG-3390 infrastructure
Confidence: High

working.hotmail-onlines.com

Domain name

TG-3390 infrastructure
Confidence: High

www.trendmicro-update.org

Domain name

TG-3390 infrastructure
Confidence: High

www.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

x.apigmail.com

Domain name

TG-3390 infrastructure
Confidence: High

ykcai.update-onlines.org

Domain name

TG-3390 infrastructure
Confidence: High

ykcailostself.dyndns-free.com

Domain name

TG-3390 infrastructure
Confidence: High

ykcainobody.dyndns.org

Domain name

TG-3390 infrastructure
Confidence: High

zj.blackcmd.com

Domain name

TG-3390 infrastructure
Confidence: High

laxness-lab.com

Domain name

TG-3390 infrastructure
Confidence: High

google-ana1ytics.com

Domain name

TG-3390 infrastructure
Confidence: High

www.google-ana1ytics.com

Domain name

TG-3390 infrastructure
Confidence: High

ftp.google-ana1ytics.com

Domain name

TG-3390 infrastructure
Confidence: High

hotmailcontact.net

Domain name

TG-3390 infrastructure
Confidence: High

208.115.242.36

IP address

TG-3390 infrastructure
Confidence: High

208.115.242.37

IP address

TG-3390 infrastructure
Confidence: High

208.115.242.38

IP address

TG-3390 infrastructure
Confidence: High

66.63.178.142

IP address

TG-3390 infrastructure
Confidence: High

72.11.148.220

IP address

TG-3390 infrastructure
Confidence: High

72.11.141.133

IP address

TG-3390 infrastructure
Confidence: High

74.63.195.236

IP address

TG-3390 infrastructure
Confidence: High

74.63.195.236

IP address

TG-3390 infrastructure
Confidence: High

74.63.195.237

IP address

TG-3390 infrastructure
Confidence: High

74.63.195.238

IP address

TG-3390 infrastructure
Confidence: High

103.24.0.142

IP address

TG-3390 infrastructure
Confidence: High

103.24.1.54

IP address

TG-3390 infrastructure
Confidence: High

106.187.45.162

IP address

TG-3390 infrastructure
Confidence: High

192.151.236.138

IP address

TG-3390 infrastructure
Confidence: High

192.161.61.19

IP address

TG-3390 infrastructure
Confidence: High

192.161.61.20

IP address

TG-3390 infrastructure
Confidence: High

192.161.61.22

IP address

TG-3390 infrastructure
Confidence: High

103.24.1.54

IP address

TG-3390 infrastructure
Confidence: High

67.215.232.179

IP address

TG-3390 infrastructure
Confidence: High

96.44.177.195

IP address

TG-3390 infrastructure
Confidence: High

49.143.192.221

IP address

TG-3390 infrastructure
Confidence: Moderate

67.215.232.181

IP address

TG-3390 infrastructure
Confidence: Moderate

67.215.232.182

IP address

TG-3390 infrastructure
Confidence: Moderate

96.44.182.243

IP address

TG-3390 infrastructure
Confidence: Moderate

96.44.182.245

IP address

TG-3390 infrastructure
Confidence: Moderate

96.44.182.246

IP address

TG-3390 infrastructure
Confidence: Moderate

49.143.205.30

IP address

TG-3390 infrastructure
Confidence: Moderate

working_success@163.com

Email address

TG-3390 email address
Confidence: High

ykcaihyl@163.com

Email address

TG-3390 email address
Confidence: High

working_success@163.com

Email address

TG-3390 email address
Confidence: High

yuming@yinsibaohu.aliyun.com

Email address

TG-3390 email address
Confidence: Low

1cb4b74e9d030afbb18accf6ee2bfca1

MD5 hash

HttpBrowser RAT dropper

b333b5d541a0488f4e710ae97c46d9c2

MD5 hash

HttpBrowser RAT dropper

86a05dcffe87caf7099dda44d9ec6b48

MD5 hash

HttpBrowser RAT dropper

93e40da0bd78bebe5e1b98c6324e9b5b

MD5 hash

HttpBrowser RAT dropper

f43d9c3e17e8480a36a62ef869212419

MD5 hash

HttpBrowser RAT dropper

57e85fc30502a925ffed16082718ec6c

MD5 hash

HttpBrowser RAT dropper

4251aaf38a485b08d5562c6066370f09

MD5 hash

HttpBrowser RAT dropper

bbfd1e703f55ce779b536b5646a0cdc1

MD5 hash

HttpBrowser RAT dropper

12a522cb96700c82dc964197adb57ddf

MD5 hash

HttpBrowser RAT dropper

728e5700a401498d91fb83159beec834

MD5 hash

HttpBrowser RAT dropper

2bec1860499aae1dbcc92f48b276f998

MD5 hash

HttpBrowser RAT dropper

014122d7851fa8bf4070a8fc2acd5dc5

MD5 hash

HttpBrowser RAT

0ae996b31a2c3ed3f0bc14c7a96bea38

MD5 hash

HttpBrowser RAT

1a76681986f99b216d5c0f17ccff2a12

MD5 hash

HttpBrowser RAT

380c02b1fd93eb22028862117a2f19e3

MD5 hash

HttpBrowser RAT

40a9a22da928cbb70df48d5a3106d887

MD5 hash

HttpBrowser RAT

46cf2f9b4a4c35b62a32f28ac847c575

MD5 hash

HttpBrowser RAT

5436c3469cb1d87ea404e8989b28758d

MD5 hash

HttpBrowser RAT

692cecc94ac440ec673dc69f37bc0409

MD5 hash

HttpBrowser RAT

6a39a4e9933407aef31fdc3dfa2a2a95

MD5 hash

HttpBrowser RAT

8b4ed3b392ee5da139c16b8bca38ea5e

MD5 hash

HttpBrowser RAT

8ea5d8bb6b28191e4436456c35477e39

MD5 hash

HttpBrowser RAT

9271bcfbba056c8f80c7f04d72efd62d

MD5 hash

HttpBrowser RAT

996843b55a7c5c7a36e8c6956e599610

MD5 hash

HttpBrowser RAT

a554efc889714c70e9362bdc81fadd6a

MD5 hash

HttpBrowser RAT

c9c93c2d62a084031872aab96202ee3e

MD5 hash

HttpBrowser RAT

ddbdf0efdf26e0c267ef6155edb0e6b8

MD5 hash

HttpBrowser RAT

e7df18a17d8e7c2ed541a57020444068

MD5 hash

HttpBrowser RAT

ea4dcafc224f604c096032dde33a1d6d

MD5 hash

HttpBrowser RAT

f658bb17d69912404f34532901edad0e

MD5 hash

HttpBrowser RAT

f869a1b40f6438dfdd89e73480103211

MD5 hash

HttpBrowser RAT

81ed752590752016cb1c12f3e9ab3454

MD5 hash

HttpBrowser RAT

5ef719f8aeb9bf97beb24a5c2ed19173

MD5 hash

HttpBrowser RAT

7ec91768376324be2bad4fd30b1c2051

MD5 hash

HttpBrowser RAT

20c446ad2d7d1586138b493ecddfbbc7

MD5 hash

HttpBrowser RAT

44cf0793e05ba843dd53bbc7020e0f1c

MD5 hash

HttpBrowser RAT

02826bb6636337963cc5162e6f87745e

MD5 hash

HttpBrowser RAT

1606ab7a54735af654ee6deb7427f652

MD5 hash

HttpBrowser RAT

1539b3a5921203f0e2b6c05d692ffa27

MD5 hash

HttpBrowser RAT

c66e09429ad6669321e5c69b1d78c082

MD5 hash

HttpBrowser RAT

225e10e362eeee15ec64246ac021f4d6

MD5 hash

HttpBrowser RAT

a631fc7c45cbdf80992b9d730df0ff51

MD5 hash

HttpBrowser RAT

af785b4df71da0786bcae233e55cf6c1

MD5 hash

HttpBrowser RAT

e3e0f3ad4ff3b981b513cc66b37583e8

MD5 hash

HttpBrowser RAT

5cd0e97a1f09001af5213462aa3f7eb1

MD5 hash

HttpBrowser RAT

15fd9c04d6099273a9acf8feab81acfe

MD5 hash

HttpBrowser RAT

ea8b9e0bf95fc0c71694310cb685cd3b

MD5 hash

HttpBrowser RAT

5c3ab475be110ec59257617ee1388e01

MD5 hash

HttpBrowser RAT

6aac7417ea1eb60a869597af9049b8fa

MD5 hash

HttpBrowser RAT

372f5370085a63f5b660fab635ce6cd7

MD5 hash

HttpBrowser RAT

fac4885324cb67bd421d6250fdc9533c

MD5 hash

HttpBrowser RAT

e7e555615a07040bb5dbe9ce59ac5d11

MD5 hash

HttpBrowser RAT

ff34cb1d90d76a656546293e879afe22

MD5 hash

HttpBrowser RAT

2abf7421c34c60d48e09325a206e720e

MD5 Hash

HttpBrowser RAT

396b4317db07cc8a2480786160b33044

MD5 hash

HttpBrowser RAT

e404873d3fcd0268db10657b53bdab64

MD5 hash

HttpBrowser RAT

6e4189b20adb253b3c1ad7f8fdc95009

MD5 hash

HttpBrowser RAT

bff424289c38d389a8cafb16b47dfe39

MD5 hash

HttpBrowser RAT

7294c7f3860315d51f74152e8ad353df

MD5 hash

HttpBrowser RAT

40092f76fea082b05e9631d91975a401

MD5 hash

HttpBrowser RAT

e42fce74bbd637c35320cf4e95f5e055

MD5 hash

HttpBrowser RAT

d0dafc3716a0d0ce393cde30b2b14a07

MD5 hash

HttpBrowser RAT

ae66bad0c7de88ab0ab1050c4bec9095

MD5 hash

HttpBrowser RAT

c7c2be1cd3780b2ba4638cef9a5422c7

MD5 hash

HttpBrowser RAT

405949955b1cb65673c16bf7c8da2f4d

MD5 hash

HttpBrowser RAT

ff4f052dbe73a81403df5e98313000fb

MD5 hash

HttpBrowser RAT

b30fcd362c7b8ac75b7dddfe6cb448c7

MD5 hash

HttpBrowser RAT

1d24f4d20b80562de46a8ac95d0ff8c2

MD5 hash

HttpBrowser RAT

9538bbdb3a73201b40296e9d4dc80ade

MD5 hash

HttpBrowser RAT

46bb2caeda30c09a6337fd46ec98c32c

MD5 hash

HttpBrowser RAT

0c8842e48e80643d91dd290d0f786147

MD5 hash

HttpBrowser RAT

0fc975c3c4e6c546b4f2b5aaed50dd78

MD5 hash

HttpBrowser RAT

41be449f687828466ed7d87f0f30a278

MD5 hash

HttpBrowser RAT

2b95caf3307ebd36cf405b1133b30aa8

MD5 hash

HttpBrowser RAT

ccc715a4d9d0157b9776deacdb26bf78

MD5 hash

HttpBrowser RAT

37933acfa8d8e78c54413d88ca705e17

MD5 hash

HttpBrowser RAT

2813c5a1c87f7e3d33174fed8b0988a1

MD5 hash

HttpBrowser RAT

8f22834efe52ccefb17e768569eb36b9

MD5 hash

HttpBrowser RAT

6f01628a0b5de757a8dbe99020499d10

MD5 hash

HttpBrowser RAT

7f8d9f12f41156512b60ab17f8d85fe9

MD5 hash

HttpBrowser RAT

debe5ef2868b212f4251c58be1687660

MD5 hash

HttpBrowser RAT

e136d4ebab357fd19df8afe221460571

MD5 hash

HttpBrowser RAT

a86a906cfafaf1d7e3725bb0161b0cfe

MD5 hash

HttpBrowser RAT

03e1eac3512a726da30fff41dbc26039

MD5 hash

HttpBrowser RAT

baac5e5dd3ce7dae56cab6d3dac14e15

MD5 hash

HttpBrowser RAT

0f7dde31fbeb5ddbb6230c401ed41561

MD5 hash

HttpBrowser RAT

36d957f6058f954541450f5a85b28d4b

MD5 hash

HttpBrowser RAT

42d874f91145bd2ddf818735346022d8

MD5 hash

HttpBrowser RAT

3468034fc3ac65c60a1f1231e3c45107

MD5 hash

HttpBrowser RAT

4e3b51a6a18bdb770fc38650a70b1883

MD5 hash

HttpBrowser RAT

3647068230839f9cadf0fd4bd82ade84

MD5 hash

HttpBrowser RAT

550922107d18aa4caad0267997709ee5

MD5 hash

HttpBrowser RAT

d8f0a6450f9df637daade521dc90d29d

MD5 hash

HttpBrowser RAT

bf2e2283b19b0febc4bd1f47aa82a94c

MD5 hash

HttpBrowser RAT

d0eec2294a70ceff84ca8d0ed7939fb5

MD5 hash

HttpBrowser RAT

e91d2464c8767552036dd0294fc7e6fb

MD5 hash

HttpBrowser RAT

f627bc2db3cab34d97c8949931cb432d

MD5 hash

HttpBrowser RAT

b313bbe17bd5ee9c00acff3bfccdb48a

MD5 hash

PlugX RAT dropper

f7a842eb1364d1269b40a344510068e8

MD5 hash

PlugX RAT dropper

8dacca7dd24844935fcd34e6c9609416

MD5 hash

PlugX RAT dropper

7cffd679599fb8579abae8f32ce49026

MD5 hash

PlugX RAT dropper

462fd01302bc40624a44b7960d2894cd

MD5 hash

PlugX RAT dropper

Table 1. TG-3390 indicators.

Appendix A — Identifying attribution and gauging confidence

Identifying attribution

In most cases, CTU researchers not have intelligence to directly attribute a threat group, so attribution relies on circumstantial evidence and is an assessment rather than a fact. CTU researchers draw on three distinct intelligence bases for evidence of attribution:

Observed activity is gathered from CTU researchers' observation and investigation of a threat group's activity on a target network and across Dell SecureWorks data, and analysis of tactics, techniques, and procedures (TTPs) the threat group employs.

Third-party intelligence is gained from trusted relationships within the security industry and with other private and public sector organizations, as well as analysis of open source intelligence.

Contextual analysis compares threat group targets against intelligence requirements of nation states and other threat actors and compares tradecraft employed by a threat group to tradecraft of known threat actors.

Gauging confidence level

CTU researchers have adopted the grading system published by the U.S. Office of the Director of National Intelligence to indicate confidence in their assessments:

High confidence generally indicates that judgments are based on high-quality information, and/or that the nature of the issue makes it possible to render a solid judgment. A "high confidence" judgment is not a fact or a certainty, however, and such judgments still carry a risk of being wrong.

Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.

Low confidence generally means that the information's credibility and/or plausibility is questionable, or that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that [there are] significant concerns or problems with the sources.

Appendix B — HttpBrowser analysis

HttpBrowser is a remote access tool whose name originates from the hard-coded "HttpBrowser/1.0" User-Agent. CTU researchers also identified a PDB string in the binaries, J:\TokenControlV3\ServerDll\Release\ServerDll.pdb, which implies that the threat actors may refer to the tool as "TokenControl." Table 2 lists the commands available to threat actors in one of the HttpBrowser variants.

Command

Functionality

Init

Create a reverse shell

Write

Write a file to the compromised system from the C2 server

List

List the files in a directory

Upload

Upload a file from the compromised system to the C2 server

Table 2. HttpBrowser command set. (Source: Dell SecureWorks)

Other variants of the backdoor may include additional commands such as setcmd, settime, uninstall, and down. Table 3 shows the unencrypted URL parameters, along with sample data and a description of the data.

URL parameter

Sample data

Description

c=

Victim->Administrator

Hostname and username

l=

192.168.1.100

Compromised system's IP address

o=

5,1,1,32

Windows major and minor version, coupled with
architecture (32 v. 64)

u=

{B5B70BD7-87FC-499A-B4D1-
98163306F0D8}

A GUID

r=

1

Boolean value if the malware is running as injected code

t=

8035187

Number of milliseconds the computer has been running

Table 3. HttpBrowser parameters. (Source: Dell SecureWorks)

Appendix C — OwaAuth web shell analysis

OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell. Like ChinaChopper, it parses HTTP requests for the Z1 and Z2 parameters (see Table 4). The legitimate owaauth.dll file resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\ while CTU researchers have observed the backdoor using the same filename in the %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\ directory. In addition to acting as a web shell, the malware captures and DES-encrypts credentials before writing the username and password to disk. The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries.

Each web shell instance is configured to contain SP, Key, and Log variables. The SP variable is a string containing the victim's username. When the malicious ISAPI filter captures a username matching this variable, it knows to handle the incoming HTTP request as a command to the web shell. The DES key to encrypt the credentials in the configuration observed by CTU researchers is 12345678, and the log file is c:\log.txt. The decrypted contents of the log file adhere to the format in Figure 22.

Appendix D — Domain name parking example

CTU researchers have observed TG-3390 parking domains by pointing their A record to a non-routable IP space, including the 127.0.0.[x] loopback address. Table 5 demonstrates how the threat actors change one of their C2 domains to point to routable and non-routable IP addresses over time.

Endnotes

[1] The Dell SecureWorks Counter Threat Unit(TM) (CTU) research team tracks threat groups by assigning them four-digit randomized numbers (3390 in this case), and compiles information from first-hand incident response observations and from external sources.

[2] Threat groups use strategic web compromises (SWCs), also known as watering hole attacks, to target a wide array of potential victims. Threat actors compromise a website used by their target demographic (e.g., compromising a website specializing in oil and gas industry news when targeting the energy vertical). Visitors to the compromised website are redirected to a server under the threat group's control, where their system is compromised with the threat group's malware. With this tactic, a threat group increases the likelihood of compromising systems that possess desired information.